We are planning on installing an upgrade to Raisers Edge next month.  I am debating whether to go with 7.85 or 7.91.  We do not currently have Net Solutions but we definitely see this in our near future as well.  If we are going to utilize the credit card donation feature of Net solutions, is it necessary for us to have 7.91 installed for the BPSS requirement?

thanks for your help

Madalyn 

Simon: We appreciate your feedback and understand your concerns. As a company that provides payment software, we are required to provide PCI DSS-compliant applications. For us to pass our software audit, we were not able to make the inactivity timeout optional. This is an industry-wide change that affects all software companies that make payment applications.

The security changes we've made (requiring strong passwords, inactivity timeout) improve data security for everything in The Raiser's Edge, not just credit card information. Our goal is to provide a secure home for your donors and their personal data, and these changes are part of that.

We're working to fix the issue with plug-ins. Other processes keep running when The Raiser's Edge is locked, so they won't be interrupted. For example, a large report would continue to run "behind the scenes" after The Raiser's Edge is locked. If it finishes while the machine is locked, you'll be able to see the results.

Madalyn: Yes, to use BBPS to store credit card data, you do need to have The Raiser's Edge 7.91 installed. If you are using NetSolutions and you do not have The Raiser's Edge 7.91 installed, you will still be able to accept credit card donations online, but credit card informatino for recurring gifts will not be stored in BBPS.

Hope that helps!

I am not positive, but I think some of this is on the horizon for any networked software application due to privacy laws. There are some industries and states now that already would require software with confidential information to be protected in a similar manner. I know that our patient databases in the Helathcare industry (at least at our site) do the exact same thing as what Blackbaud is implementing and there are no credit cards stored anywhere in that database

Hey Everybody!

Just wanted to let y'all know that there will be a series of Support Roundtables starting next week to give you a chance to learn more about the changes in The Raiser's Edge and speak directly with product experts! Check out this blog post to learn more and keep the questions coming here.

Check it out - we've updated The Raiser's Edge 7.91 FAQs!

And besides PCI compliance there is the issue of PII (Personally Identifiable Information). If you've got SSN's in your database, you probably want RE to lock up after 15 minutes if someone has headed out to a meeting and left their pc on and are still logged into RE. (If it doesn't happen at your organization, can I work there? ) And even if you don't, you've got data that is not for the motoring public and probably not for your maintenance crew either! I finally got through to some of my co-workers that the data in RE is just as confidential as their HR records. Unless of course they want everyone at the college to see their giving (or non-giving) history.

 laura

I totally agree, Laura.  All information is confidential in RE and I welcome the fact that users just cannot leave their RE running unattended.  We have users throughout our university campus - we can't be around to monitor all their activity, so I welcome this added security.

Another point to make is that those users who are not using RE to store credit card (or even bank account) details should be aware that they need to be PCI compliant as well.  If they store these details elsewhere (even in paper form), they ought to investigate PCI more to see whether they comply with it.  Otherwise they may find themselves not being able to take those forms of payment for much longer...

 Chris

Good point, Chris. The scope of PCI DSS goes beyond The Raiser's Edge - everyone who stores credit card data in any way, shape, or form is affected. For comprehensive advice on data security, get in touch with a Qualified Security Assessor.

Has anyone out here gone through the update and used BBPS for their credit card data? I'd be interested to hear what kinds of experience people are having.

If you updated without using BBPS, it's never too late to change your mind. Even if you updated without entering BBPS credentials, you can still go to https://bbps.blackbaud.com/ to create an account, then log into The Raiser's Edge as Supervisor and enter your BBPS credentials in Config, General. Check out Knowledgebase solution BB618297 for more information.

We updated 2 days ago - everything has gone pretty smoothly.  We'd done thorough testing before, waiting for the patch that fixed the time-out activity issue, and then did a ton of prep for our staff for the upgrade process (basically, I required everyone to come to a training to watch an entire upgrade go through, then followed up with written instructions).  We used BBPS for our credit card data - it all went well.

 Nearly everyone had a completely successful upgrade.  A few people interrupted the process and required an uninstall/reinstall, but that always happens and doesn't really take any more time than the upgrade.

As we have a firm PCI compliance deadline from our bank, we were thankful to have a PCI compliant version of RE to upgrade to.  A few folks have griped about the time-out feature, but overall we understand that the time-out feature provides more security for all our records, not just our credit card data. 

Given all the other constraints of PCI compliance (for us, we must receive credit cards in a secure area with an auditable log, never write a credit card on a piece of paper without generating an audit log, etc) the time-out feature is a small blip in the changing landscape of PCI compliance. 

 Thanks for sharing your story, Faith!

I just wanted to say that we also were dreading the new time out feature but now that we have upgraded it really does not seem so bothersome.  It also does not seem to time out after just 15 minutes - it seems more like a half hour or even more.  Not sure why that is. But overall this new feature has not been as annoying as I thought it would be when I first read about it.

Kris

UW-Whitewater

Many organizations use a script or AD policy that forces a logoff or locks the workstation

after a period of time for all users, not just RE users.  Much of what is stored in many home

directories and other databases is confidential.  For users who do a lot of research and other

tasks, being idle in the database for 15 minutes is common, and we are not looking forward

to the automatic lock out and would prefer the option of continuing our own security policies.

Barbara Prine

Kingswood-Oxford School

 If we use BBPS, are we then required to use one of the two currently available payment processors (IATS or ICVerify)?  Is there a way to use BBPS but also use our current CC processing company  (who gives us a far better rate than the BB providers)?

Hey Andrew,

Currently, our supported processors are IATS and ICVerify when authorizing credit card transactions through The Raiser's Edge in Batch.

Later this year, we will begin supporting more credit card processors in The Raiser's Edge. Take our PCI and Payment Services Survey to give us your feedback.

How does the 15 minute workstation lockout impact Windows Authentication users? Does RE lock itself? If so, what password do users enter to unlock it if they don't have an RE password?